@meetdilip Interesting thought, this would usually be done within a Display Name rather than a username. However this was done due to Brute Force being a lot easier at the time, when passwords were encrypted with md5 etc, with Brute Force protection, it's not something that's really necessary anymore.
I'll back this up with a few stats. NodeBB requires a password of at least 8 characters, Assuming you use a mixture of letters and numbers, it would take about 1 day 15 hours to brute force that 8 character password due to the 57731386986 combinations. Now imagine after every 3 failed attempts, it has to stop for 15 minutes because the account is locked out, so it's not even trying the combinations anymore. If someone obtained your admin password, it won't be through a brute force attack on NodeBB, it will be something silly like you reusing the same password on Adobes website and them getting hacked.
Interesting story, as you've used SMF in the past. Popular anti virus supplier Avast had their forum hacked (they used SMF) in the press release Avast claimed it was down to a vulnerability in SMF. SMF emailed them and asked them to prove it, or at least allow them to investigate. No vulnerability was found, instead, the attack came from soneone logging in 4 months prior using an admin account, and slowly planting code into SMF via that admins control panel, it was assumed that the Admin had used the same password somewhere else with the same username.
Moral of the story. Use different passwords, you'll be fine.
EDIT: For the giggles, I calculated the time taken to bruteforce my password...
That's 2.3x10+23 times longer than the age of the universe.